Rule Wazuh
210 views
Skip to first unread message
Killua 053
Oct 21, 2023, 11:36:28 AM10/21/23
to Wazuh | Mailing List
<rule id="100000" level="10">
<mitre>
<id>T1547.001</id>
</mitre>
<description>CurrentVersion Autorun Keys Modification</description>
<if_group>sysmon_eid13_detections</if_group>
<field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion)</field>
<field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(\\\\ShellServiceObjectDelayLoad|\\\\Run\\\\|\\\\RunOnce\\\\|\\\\RunOnceEx\\\\|\\\\RunServices\\\\|\\\\RunServicesOnce\\\\|\\\\Policies\\\\System\\\\Shell|\\\\Policies\\\\Explorer\\\\Run|\\\\Group\ Policy\\\\Scripts\\\\Startup|\\\\Group\ Policy\\\\Scripts\\\\Shutdown|\\\\Group\ Policy\\\\Scripts\\\\Logon|\\\\Group\ Policy\\\\Scripts\\\\Logoff|\\\\Explorer\\\\ShellServiceObjects|\\\\Explorer\\\\ShellIconOverlayIdentifiers|\\\\Explorer\\\\ShellExecuteHooks|\\\\Explorer\\\\SharedTaskScheduler|\\\\Explorer\\\\Browser\ Helper\ Objects|\\\\Authentication\\\\PLAP\ Providers|\\\\Authentication\\\\Credential\ Providers|\\\\Authentication\\\\Credential\ Provider\ Filters)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\(Empty\))$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\\\NgcFirst\\\\ConsecutiveSwitchCount)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\WINDOWS\\\\system32\\\\devicecensus\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Windows\\\\system32\\\\winsat\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Microsoft\ OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Microsoft\ OneDrive\\\\Update\\\\OneDriveSetup\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\ \(x86\)\\\\Microsoft\ OneDrive\\\\Update\\\\OneDriveSetup\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\KeePass\ Password\ Safe\ 2\\\\ShInstUtil\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Everything\\\\Everything\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\ \(x86\)\\\\Microsoft\ Office\\\\root\\\\integration\\\\integrator\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Windows\\\\system32\\\\LogonUI\.exe)$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(\\\\Authentication\\\\Credential\ Providers\\\\\{D6886603\-9D2F\-4EB2\-B667\-1971041FA96B\}\\\\)</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(\\\\Authentication\\\\Credential\ Providers\\\\\{BEC09223\-B018\-416D\-A0AC\-523971B639F5\}\\\\)</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(\\\\Authentication\\\\Credential\ Providers\\\\\{8AF662BF\-65A0\-4D0A\-A540\-A338A999D36F\}\\\\)</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(\\\\Authentication\\\\Credential\ Providers\\\\\{27FBDB57\-B613\-4AF2\-9D7E\-4FA7A66C21AD\}\\\\)</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\ \(x86\)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\)</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\ \(x86\)\\\\Microsoft\\\\EdgeWebView\\\\)</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\ \(x86\)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge\.exe)</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Windows\\\\system32\\\\regsvr32\.exe)$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(DropboxExt)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:A251\-47B7\-93E1\-CDD82E34AF8B\})$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Opera\ Browser\ Assistant)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Opera\\\\assistant\\\\browser_assistant\.exe)$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\iTunesHelper)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\\\Program\ Files\\\\iTunes\\\\iTunesHelper\.exe")$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\zoommsirepair)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\\\Program\ Files\\\\Zoom\\\\bin\\\\installer\.exe"\ \/repair)$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Greenshot)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Greenshot\\\\Greenshot\.exe)$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\GoogleDriveFS)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Google\\\\Drive\ File\ Stream\\\\)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(\\\\GoogleDriveFS\.exe)</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(GoogleDrive)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{CFE8B367\-77A7\-41D7\-9C90\-75D16D7DC6B6\})$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{A8E52322\-8734\-481D\-A7E2\-27B309EF8D56\})$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{C973DA94\-CBDF\-4E77\-81D1\-E5B794FBD146\})$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{51EF1569\-67EE\-4AD6\-9646\-E726C3FFC8A2\})$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\\\Windows\\\\system32\\\\cmd\.exe\ \/q\ \/c\ rmdir\ \/s\ \/q\ "C:\\\\Users\\\\)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\\\Windows\\\\system32\\\\cmd\.exe\ \/q\ \/c\ del\ \/q\ "C:\\\\Users\\\\)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\)</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\\{)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(\\\\AppData\\\\Local\\\\Package\ Cache\\\\\{)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(\}\\\\python\-)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\.exe"\ \/burn\.runonce)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Common\ Files\\\\Microsoft\ Shared\\\\ClickToRun\\\\)</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Common\ Files\\\\Microsoft\ Shared\\\\ClickToRun\\\\Updates\\\\)</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\\\OfficeClickToRun\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Windows\ Defender\\\\MsMpEng\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\\\Microsoft\\\\Teams\\\\current\\\\Teams\.exe)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(\\\\Microsoft\\\\Teams\\\\Update\.exe\ \-\-processStart\ )</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Windows\\\\system32\\\\userinit\.exe)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:ctfmon\.exe\ \/n)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\AVG\\\\Antivirus\\\\Setup\\\\)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\\\Program\ Files\\\\AVG\\\\Antivirus\\\\AvLaunch\.exe"\ \/gui)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\\\Program\ Files\ \(x86\)\\\\AVG\\\\Antivirus\\\\AvLaunch\.exe"\ \/gui)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{472083B0\-C522\-11CF\-8763\-00608CC02F24\})$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\\\aurora\-agent\-64\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\\\aurora\-agent\.exe)$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\aurora\-dashboard)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Aurora\-Agent\\\\tools\\\\aurora\-dashboard\.exe)$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Everything)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\\\\Everything\\\\Everything\.exe"\ \-startup)$</field>
</rule>
<mitre>
<id>T1547.001</id>
</mitre>
<description>CurrentVersion Autorun Keys Modification</description>
<if_group>sysmon_eid13_detections</if_group>
<field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion)</field>
<field name="win.eventdata.targetObject" negate="no" type="pcre2">(?i)(\\\\ShellServiceObjectDelayLoad|\\\\Run\\\\|\\\\RunOnce\\\\|\\\\RunOnceEx\\\\|\\\\RunServices\\\\|\\\\RunServicesOnce\\\\|\\\\Policies\\\\System\\\\Shell|\\\\Policies\\\\Explorer\\\\Run|\\\\Group\ Policy\\\\Scripts\\\\Startup|\\\\Group\ Policy\\\\Scripts\\\\Shutdown|\\\\Group\ Policy\\\\Scripts\\\\Logon|\\\\Group\ Policy\\\\Scripts\\\\Logoff|\\\\Explorer\\\\ShellServiceObjects|\\\\Explorer\\\\ShellIconOverlayIdentifiers|\\\\Explorer\\\\ShellExecuteHooks|\\\\Explorer\\\\SharedTaskScheduler|\\\\Explorer\\\\Browser\ Helper\ Objects|\\\\Authentication\\\\PLAP\ Providers|\\\\Authentication\\\\Credential\ Providers|\\\\Authentication\\\\Credential\ Provider\ Filters)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\(Empty\))$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\\\NgcFirst\\\\ConsecutiveSwitchCount)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\WINDOWS\\\\system32\\\\devicecensus\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Windows\\\\system32\\\\winsat\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Microsoft\ OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Microsoft\ OneDrive\\\\Update\\\\OneDriveSetup\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\ \(x86\)\\\\Microsoft\ OneDrive\\\\Update\\\\OneDriveSetup\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\KeePass\ Password\ Safe\ 2\\\\ShInstUtil\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Everything\\\\Everything\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\ \(x86\)\\\\Microsoft\ Office\\\\root\\\\integration\\\\integrator\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Windows\\\\system32\\\\LogonUI\.exe)$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(\\\\Authentication\\\\Credential\ Providers\\\\\{D6886603\-9D2F\-4EB2\-B667\-1971041FA96B\}\\\\)</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(\\\\Authentication\\\\Credential\ Providers\\\\\{BEC09223\-B018\-416D\-A0AC\-523971B639F5\}\\\\)</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(\\\\Authentication\\\\Credential\ Providers\\\\\{8AF662BF\-65A0\-4D0A\-A540\-A338A999D36F\}\\\\)</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(\\\\Authentication\\\\Credential\ Providers\\\\\{27FBDB57\-B613\-4AF2\-9D7E\-4FA7A66C21AD\}\\\\)</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\ \(x86\)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\)</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\ \(x86\)\\\\Microsoft\\\\EdgeWebView\\\\)</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\ \(x86\)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge\.exe)</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Windows\\\\system32\\\\regsvr32\.exe)$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(DropboxExt)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:A251\-47B7\-93E1\-CDD82E34AF8B\})$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Opera\ Browser\ Assistant)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Opera\\\\assistant\\\\browser_assistant\.exe)$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\iTunesHelper)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\\\Program\ Files\\\\iTunes\\\\iTunesHelper\.exe")$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\zoommsirepair)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\\\Program\ Files\\\\Zoom\\\\bin\\\\installer\.exe"\ \/repair)$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Greenshot)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Greenshot\\\\Greenshot\.exe)$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\GoogleDriveFS)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Google\\\\Drive\ File\ Stream\\\\)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(\\\\GoogleDriveFS\.exe)</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(GoogleDrive)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{CFE8B367\-77A7\-41D7\-9C90\-75D16D7DC6B6\})$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{A8E52322\-8734\-481D\-A7E2\-27B309EF8D56\})$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{C973DA94\-CBDF\-4E77\-81D1\-E5B794FBD146\})$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{51EF1569\-67EE\-4AD6\-9646\-E726C3FFC8A2\})$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\\\Windows\\\\system32\\\\cmd\.exe\ \/q\ \/c\ rmdir\ \/s\ \/q\ "C:\\\\Users\\\\)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\\\Windows\\\\system32\\\\cmd\.exe\ \/q\ \/c\ del\ \/q\ "C:\\\\Users\\\\)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\)</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\\{)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(\\\\AppData\\\\Local\\\\Package\ Cache\\\\\{)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(\}\\\\python\-)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\.exe"\ \/burn\.runonce)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Common\ Files\\\\Microsoft\ Shared\\\\ClickToRun\\\\)</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Common\ Files\\\\Microsoft\ Shared\\\\ClickToRun\\\\Updates\\\\)</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\\\OfficeClickToRun\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Windows\ Defender\\\\MsMpEng\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\\\Microsoft\\\\Teams\\\\current\\\\Teams\.exe)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(\\\\Microsoft\\\\Teams\\\\Update\.exe\ \-\-processStart\ )</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Windows\\\\system32\\\\userinit\.exe)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:ctfmon\.exe\ \/n)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\AVG\\\\Antivirus\\\\Setup\\\\)</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\\\Program\ Files\\\\AVG\\\\Antivirus\\\\AvLaunch\.exe"\ \/gui)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:"C:\\\\Program\ Files\ \(x86\)\\\\AVG\\\\Antivirus\\\\AvLaunch\.exe"\ \/gui)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:\{472083B0\-C522\-11CF\-8763\-00608CC02F24\})$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\\\aurora\-agent\-64\.exe)$</field>
<field name="win.eventdata.image" negate="yes" type="pcre2">(?i)(?:\\\\aurora\-agent\.exe)$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\aurora\-dashboard)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)^(?:C:\\\\Program\ Files\\\\Aurora\-Agent\\\\tools\\\\aurora\-dashboard\.exe)$</field>
<field name="win.eventdata.targetObject" negate="yes" type="pcre2">(?i)(?:\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Everything)$</field>
<field name="win.eventdata.details" negate="yes" type="pcre2">(?i)(?:\\\\Everything\\\\Everything\.exe"\ \-startup)$</field>
</rule>
I have a rule, but it not alert.So can i miss anything?
Daniel Sappa
Oct 22, 2023, 7:30:08 PM10/22/23
to Wazuh | Mailing List
It seems to be a pretty complex rule.
In these cases it is useful to process the necessary fields little by little, since any slight error in the regex causes the rule not to trigger.
wazuh-logtest is a good ally for this.
https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html
On the other hand, it would be useful if you can share some log lines, so I can perform some tests on my part.
In these cases it is useful to process the necessary fields little by little, since any slight error in the regex causes the rule not to trigger.
wazuh-logtest is a good ally for this.
https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html
On the other hand, it would be useful if you can share some log lines, so I can perform some tests on my part.
Reply all
Reply to author
Forward
0 new messages